Introductory course EGEE Grid Security HunGrid Virtual Organisation

1
Introductory courseEGEE Grid Security HunGrid
Virtual Organisation

• Norbert Podhorszki
• MTA SZTAKI

EGEE is funded by the European Union under
contract IST-2003-508833
2
Acknowledgement

• This tutorial is based on the work of many
  people
• Fabrizio Gagliardi, Flavia Donno and Peter Kunszt
  (CERN)
• the EDG developer team
• the EDG training team
• the NeSC training team
• the SZTAKI training team

3
Content

• EGEE
• Introduction
• Components
• Jobs
• Security
• problems
• digital certificates
• HunGrid VO
• virtual organisations in EGEE
• the HunGrid VO
• How to join?

4
The Grid Vision
The Grid networked data processing centres and
middleware software as the glue of resources.
5
What do we expect from the Grid?

• Access to a world-wide virtual computing
  laboratory with almost infinite resources
• Possibility to organize distributed scientific
  communities in VOs
• Transparent access to distributed data and easy
  workload management
• Easy to use application interfaces

6
CERN Data intensive science in a large
international facility

• The Large Hadron Collider (LHC)
• The most powerful instrument ever built to
  investigate elementary particles physics
• Data Challenge
• 10 Petabytes/year of data !!!
• 20 million CDs each year!
• Simulation, reconstruction, analysis
• LHC data handling requires computing power
  equivalent to 100,000 of today's fastest PC
  processors!

Mont Blanc (4810 m)
Downtown Geneva
7
The EGEE Project

• EU funded project (04/2004 03/2006)
• EGEE offers the largest production grid facility
  in the world open to many applications (HEP,
  BioMedical, generic)
• Existing production service based on LCG (derived
  from EDG software of FP5)
• Next generation open source web-services
  middleware being re-engineered taking into
  account production/ deployment/ management needs
• Well-defined, distributed support structure to
  provide eInfrastructure that is available to many
  application domains

www.eu-egee.org
8
LCG-2/EGEE-0 Status April 2005
Cyprus

• Total
• gt 100 Sites
• 12000 CPUs
• 6.5 PByte

9
Main Logical Machine Types (Services) in LCG-2

• User Interface (UI)
• Information Service (IS)
• Computing Element (CE)
• Frontend Node
• Worker Nodes (WN)

• Storage Element (SE)
• Replica Catalog (RC,RLS)
• Resource Broker (RB)

10
User Interface

• The initial point of access to the LCG-2 Grid is
  the User Interface
• This is a machine where
• LCG users have a personal account
• The users certificate is installed
• The UI is the gateway to Grid services
• It provides a Command Line Interface to perform
  the following basic Grid operations
• list all the resources suitable to execute a
  given job
• replicate and copy files
• submit a job for execution on a Computing
  Element
• show the status of one or more submitted jobs.
• retrieve the output of one or more finished jobs
• cancel one or more jobs
• One or more UIs are available at each site part
  of the LCG-2 Grid

11
Main Logical Machine Types (Services) in LCG-2

• User Interface (UI)
• Information Service (IS)
• Computing Element (CE)
• Frontend Node
• Worker Nodes (WN)

• Storage Element (SE)
• Replica Catalog (RC,RLS)
• Resource Broker (RB)

12
Computing Element

• Computing Element entry
• point into a queue of a batch
• system
• information associated with a computing element
  is limited only to information relevant to the
  queue
• Resource details relates to the system

infoService
gatekeeper
Batch server
Grid Gate node

CPUPIV RAM2GB OSLinux
CPUPIV RAM2GB OSLinux
CPUPIV RAM2GB OSLinux
CPUPIV RAM2GB OSLinux
A CE consist of homogeneous worker nodes
13
Main Logical Machine Types (Services) in LCG-2

• User Interface (UI)
• Information Service (IS)
• Computing Element (CE)
• Frontend Node
• Worker Nodes (WN)

• Storage Element (SE)
• Replica Catalog (RC,RLS)
• Resource Broker (RB)

14
Storage Element (SE)

• A Storage Element (SE) provides uniform access
  and services to large storage spaces.
• Each site includes at least one SE
• They use two protocols
• GSIFTP for file transfer
• Remote File Input/Output (RFIO) for file access
• Storage Resource Manager (SRM) needs to take into
  account
• Transparent access to files (migration to/from
  disk pool)
• Space reservation (on demand and advance)
• File status notification
• Life time management

15
Main Logical Machine Types (Services) in LCG-2

• User Interface (UI)
• Information Service (IS)
• Computing Element (CE)
• Frontend Node
• Worker Nodes (WN)

• Storage Element (SE)
• Replica Catalog (RC,RLS)
• Resource Broker (RB)

16
Information System (IS)

• The Information System (IS) provides information
  about the LCG-2 Grid resources and their status
• The current IS is based on LDAP (Lightweight
  Directory Access Protocol) a directory service
  infrastructure which is a specialized database
  optimized for
• reading,
• browsing and
• searching information.
• the LDAP schema used in LCG-2 implements the GLUE
  (Grid Laboratory for a Uniform Environment)
  Schema

17
Main Logical Machine Types (Services) in LCG-2

• User Interface (UI)
• Information Service (IS)
• Computing Element (CE)
• Frontend Node
• Worker Nodes (WN)

• Storage Element (SE)
• Replica Catalog (RC,RLS)
• Resource Broker (RB)

18
Data Management

• In LCG, the data files are replicated
• on a temporary basis,
• to many different sites depending on
• where the data is needed.
• The users or applications do not need to know
  where the data is located, they use logical files
  names
• the Data Management services are responsible for
  locating and accessing the data.

19
Replication Services Basic Functionality
Each file has a unique Grid ID. Locations
corresponding to the GUID are kept in the Replica
Location Service.
Users may assign aliases to the GUIDs. These are
kept in the Replica Metadata Catalog.
Files have replicas stored at many Grid sites on
Storage Elements.
Replica Metadata Catalog
Replica Location Service
Replica Manager
The Replica Manager provides atomicity for file
operations, assuring consistency of SE and
catalog contents.
Storage Element
Storage Element
20
Main Logical Machine Types (Services) in LCG-2

• User Interface (UI)
• Information Service (IS)
• Computing Element (CE)
• Frontend Node
• Worker Nodes (WN)

• Storage Element (SE)
• Replica Catalog (RC,RLS)
• Resource Broker (RB)

21
Job Management

• The user interacts with Grid via a Workload
  Management System (WMS)
• The Goal of WMS is the distributed scheduling
  and resource management in a Grid environment.
• What does it allow Grid users to do?
• To submit their jobs
• To execute them on the best resources
• The WMS tries to optimize the usage of resources
• To get information about their status
• To retrieve their output

22
A Simple Configuration
Computing Element 1
Storage Element 1
CLOSE
User Interface Resource Broker Replica
Catalog Information Service
CLOSE
Storage Element 2
Computing Element 2
23
Security
24
Introduction to Security

• What aspects of security should we be concerned
  about?
• Authentication (Identification)
• Confidentiality (Privacy)
• Integrity (non-Tampering)
• Authorisation
• Also
• Accounting
• Delegation
• Non-Repudiation

25
How do I login on the Grid ?

• Distribution of resources secure access is a
  basic requirement
• secure communication
• security across organisational boundaries
• single sign-on" for users of the Grid
• Two basic concepts
• Authentication Who am I?
• Equivalent to a pass port, ID card etc.
• Authorisation What can I do?
• Certain permissions, duties etc.

26
Encrypting for Confidentiality

• Sending a message using asymmetric keys
• Encrypt message using Receivers public key
• Send encrypted message
• Receiver decrypts message using own private key
• Only someone with Receivers private key can
  decrypt message

Receiver space
Public space
Sender space
Private Key
Public Key
Receivers Public Key
Receivers Public Key
3
hR3a rearj
hR3a rearj
openssl
openssl
2
hR3a rearj
1
Hello World
Hello World
27
Signing for Authentication

• Encrypt message with Senders private key
• Send encrypted message
• Message is readable by ANYONE with Senders
  public key
• Receiver decrypts message with Senders public
  key
• Receiver can be confident that only someone with
  Senders private key
• could have sent the message

Public space
Sender space
Receiver space
Senders Public Key
Senders Public Key
Public Key
Private Key
3
openssl
1
openssl
n52krj rer
n52krj rer
openssl
Hello World
4
2
n52krj rer
Hello World
Hello World
28
Problem of Authentication

• What if the public key is stolen? Can the
  Receiver be sure that the Senders public key is
  really the Senders public key and not someone
  elses?

Public space
Attacker
Public Key
Private Key
1
openssl
s76gthklds
Attackers Public Key advertised as Senders
Public Key
You are a looser
Sender space
Receiver space
Senders Public Key
Public Key
Private Key
3
openssl
You are a looser
1
openssl
n52krj rer
s76gthklds
openssl
2
4
s76gthklds
You are a looser
Hello World
29
Digital Certificates

• How can B be sure that As public key is really
  As public key and not someone elses?
• A third party guarantees the correspondence
  between public key and owners identity, by
  signing a document which contains the owners
  identity and his public key (Digital Certificate)
• Both A and B must trust this third party
• Two models
• X.509 hierarchical organization
• PGP web of trust.

30
Certificate contents

• The certificate that you present to others
  contains
• Your distinguished name (DN)
• your identifier
• Your public key
• anyone can send a secret message to you
• The identity of the CA who issued the certificate
• just a name
• Its expiry date
• the certificates expiry date (usually issued for
  one year)
• Digital signature of the CA which issued it
• the certificate encrypted with the CAs private
  key

31
Involved entities
Certificate Authority
User
Public key Private key certificate
Resource (site offering services)
32
Certificate Request
User send public key to CA along with proof of
identity.
User generatespublic/privatekey pair.
CA confirms identity, signs certificate and sends
back to user.
Cert
Signed public key.
Private Key encrypted on local disk
33
X.509 certificates and authentication
B
A
A
As certificate
Verify CA signature
Random phrase
Encrypt with A s private key
Encrypted phrase
Decrypt with A s public key
Compare with original phrase
34
Certificate classification

• User certificate
• issued to a physical person
• DN CCH, OCERN, OUGRID, CN John Smith
• the only kind of certificate good for a client,
  i.e. to send Grid jobs etc.
• Host certificate
• issued to a machine (i.e. a secure web server,
  etc.)
• request signed with a user certificate
• DN CCH, OCERN, OUGRID, CNhost1.cern.ch
• Grid host certificate
• issued to a Grid service (i.e. a Resource Broker,
  a Computing Element, etc.)
• request signed with a user certificate
• DN CCH, OCERN, OUGRID, CNhost/host1.cern.ch
• Service certificate
• issued to a program running on a machine
• request signed with a user certificate
• DN CCH, OCERN, OUGRID, CNldap/host1.cern.ch

35
Grid Security Infrastructure (GSI)

• Globus ToolkitTM proposed and implements the Grid
  Security Infrastructure (GSI)
• Protocols and APIs to address Grid security needs
• GSI protocols extend standard public key
  protocols
• Standards X.509 SSL/TLS
• Extensions X.509 Proxy Certificates (single
  sign-on) Delegation
• Proxy Certificate
• Short term, restricted certificate that is
  derived form a long-term X.509 certificate
• Signed by the normal end entity cert, or by
  another proxy
• Allows a process to act on behalf of a user
• Not encrypted and thus needs to be securely
  managed by file system

36
Delegation

• Proxy creation can be recursive
• each time a new private key and new X.509 proxy
  certificate, signed by the original key
• Allows remote process to act on behalf of the
  user
• Avoids sending passwords or private keys across
  the network
• The proxy may be a Restricted Proxy a proxy
  with a reduced set of privileges (e.g. cannot
  submit jobs).

37
Virtual Organisations (VO) and certificate
request process in practice
38
What is the Virtual Organisation?

• A Virtual Organisation (VO) is a collection of
  people in the same administrative domain
• The EGEE Grid works with Virtual Organisations
  (VO)
• A VO is simply a group of Grid users with similar
  interests and requirements
• who are able to work collaboratively with other
  members of the group
• and/or share resources (data, software, cpu,
  storage space, etc) regardless of geographical
  location
• Need to be a member of a VO before we are allowed
  to submit jobs to the Grid
• There are several VOs already established (Alice,
  Atlas, Babar, HunGrid, Central Europe VO)

39
Virtual Organisation for Grid Users

• I am a Grid user that wants to belong to a VO
• To be authorized to submit jobs to the grid you
  have to belong to a Virtual Organisation (VO)
• The request will be evaluated by the VO manager
  deciding if you can join or not
• To be able to register in one of the VO the user
  has to own a valid certificate, issued by one of
  the known and accepted Certificate Authorities
  (CA)
• A list of supported VOs can be found here
• https//lcg-registrar.cern.ch/virtual_organization
  .html

40
The HunGrid Virtual Organisation

• A new virtual organisation (VO) of EGEE
• Created by KFKI-RMKI, SZTAKI and ELTE
• The HunGrid VO is open for anybody in Hungary who
  would like to use the LHC Grid for educational
  purpose and/or scientific research
• The HunGrid provides 7/24 Grid services
• SEQ and MPI job submission
• Storage services
• Information system
• Data management service
• Register at http//www.lcg.kfki.hu
• To register in the HunGrid VO one has to own a
  valid certificate, issued by one of the known and
  accepted Certificate Authorities
• NIIFI issues new certificates for members of
  Hungarian institutes

41
The HunGrid Virtual Organisation

• HunGrid is not just a VO
• It has new tools extending the usability of the
  Grid
• P-GRADE Portal
• to graphically develop workflow applications
• to execute applications easily on the Grid
• Mercury monitor
• to monitor parallel programs running on the Grid

42
http//www.lcg.kfki.hu
43
HunGrid EGEE magyar verziója
SZTAKI
KFKI-RMKI
ELTE
KKKI

• 250 processzor
• 3.4 TB tárterület

• 26 processzor
• 2 TB tárterület

• 5 processzor
• 1.5 TB tárterület

• 12 processzor
• 1 TB tárterület

További kiépítés Veszprémi E. (6), Miskolci E.
(30), Szegedi E. (50)
44
Get a certificate for yourself

• In order to controll the accesses over the Grid,
  every user has to identify her/himself before
  submitting a job
• This is realized via the use of certificates
• The certificates are issued by the Certificates
  Authoritites
• Obtain a certificate from the accepted
  Certificates Authoritity (CA)
• Get a certificate from the NIIF CA at
  http//www.ca.niif.hu
• The NIIF CA provides PKI (Public Key
  Infrastructure) services for the Hungarian
  academic community
• The NIIF CA is operated by the National
  Information Infrastructure Development Office,
  http//www.niif.hu

45
http//www.ca.iif.hu
46
Register in a Virtual Organisation

• You have to be the member of at least one Virtual
  Organisation in order to be able to use the Grid
• After that you can use the resources of all those
  sites which support the VO (in this case the
  HunGrid VO) where you are registered
• For the registering it is necessary to use a WWW
  browser with the user certificate installed for
  the request to be properly authenticated

47
http//www.grid.kfki.hu/Hungrid-Registrar/hungrid.
pl